need to replace the value of a field only when oth...

mjones414 · ‎05-10-2018

I'm trying to add more specific data to a particular field by replacing it with another value when other conditions exist:

I've tried if(match(, case(match( and if(searchmatch( and I've not yet found the right function that accepts these conditions.

... | inputlookup inventory.csv | fields WORKGROUP,ASSETNAME,SERIALNUMBER,ASSETTYPE,CONTACT,CONTACTNAME,HARDWARE,OS,SERIALNUMBER | fields - _raw | search WORKGROUP=MYTEAM | eval ASSETTYPE=if(searchmatch("HARDWARE=*MODEL1* OR HARDWARE=*MODEL2*") AND case(OS,"Windows*") AND case(WORKGROUP="MYTEAM"),"Windows Technical Workstation",ASSETTYPE)
Functionally what I want to accomplish is to replace the value of "Desktop" with "Windows Technical Workstation" in all entries where the HARDWARE matches MODEL1 OR MODEL 2, AND its running a Windows OS managed my MYTEAM.

datasearchninja · ‎05-10-2018

Try this:

| inputlookup inventory.csv 
| eval ASSETTYPE=if((ASSETTYPE=="Desktop" AND WORKGROUP=="MYTEAM" AND searchmatch("OS=Windows* AND (HARDWARE=MODEL1 OR HARDWARE=MODEL2)")), "Windows Technical Workstation",ASSETTYPE)

need to replace the value of a field only when other values are present from other fields

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...